New Data Breach Law Comes into Effect from Today

The Notifiable Data Breaches (NDB) scheme comes into effect today, requiring Australian agencies & organisations that are covered by the Privacy Act to report any data breach that is likely to result in “serious harm”. Failure to comply can result in massive fines of up to $2 million.

Given the recent number of data breaches, including the Australian Red Cross Blood Bank Service breach in which personal details of 550,000 blood donors leaked, many Australians believe the legislation was long overdue.

Security analyst Troy Hunt disclosed that even his own wife’s blood donation records were in the dataset which had been extracted. However, the Red Cross took immediate steps to contain it.  Their communication was absolutely fantastic. They notified affected individuals via text message and email. Also, they issued press releases confirming that a data breach had occurred & published statements on its website as well as social media sites.

Uber, on the other hand, concealed massive hack that exposed data of 57m users & drivers. The company paid hackers $100,000 in order to delete data as well as keep breach quiet.

However, the consequences of a data breach will now get much, much more serious. As of today, many Australian businesses are subject to the country’s new notifiable data breaches scheme and are now legally obliged to report data breaches or cop hefty fines

“Meeting privacy obligations and the expectations of the community continues to be essential. Only by demonstrating a commitment to privacy can organisations build and maintain people’s trust and a social licence for innovative uses of data,” said Australia’s outgoing Information and Privacy Commissioner Timothy Pilgrim.

What is the aim of this scheme?

The aim of the scheme is to improve transparency as well as further strengthen privacy protections. Nowonwards, organisations won’t be able to keep silent about serious data breaches. They will be compelled to report notifiable data breaches to the affected individuals & to the OAIC.

Know who exactly will be affected

This bill will apply to all organisations that are responsible for keeping personal information secure under the Privacy Act, including Australian Government agencies, not-for-profit organisations & businesses with an annual turnover of more than $3 million.

The Act will also apply to some types of businesses with an annual turnover of $3 million or less, like:

  • Childcare centres,private tertiary educational institutions & private schools
  • Private sector health services providers – even alternative medicine practices, weight loss clinics & gyms fall under this category
  • Businesses that purchase or sell personal information along with credit reporting bodies.

What types of breaches will be  ‘notifiable’?

Many organizations in Australia collect sensitive information such as names, addresses, tax file numbers, credit card details, financial information, medical history, etc. The Privacy Act stipulates that these sensitive information must be kept secure.  If this kind of highly sensitive information is disclosed, lost, or accessed without authorisation, a breach is deemed to have occured.

And breaches will be ‘notifiable’ when they are likely to cause serious harm to the affected organization or individual.

What is meant by ‘serious harm’?

Serious harm is considered to have occurred if someone suffers reputational damage, financial or personal loss, risk to personal safety, or other kind of harm, be it psychological or physical.

The organisation will need to investigate breaches for determining the level of harm, for reporting any notifiable breaches,& for taking necessary steps in order to prevent further damage & this must be done within 30 days of the data breach.

What does “Readiness” for the NDB Scheme look like?

  • Avoiding being breached in the first place
  • Educating staff on legal obligations under the scheme
  • Preparing for a breach the same way as you would prepare for disaster recovery
  • Having a discussion with leadership/board

If a company is confident that the breach has been contained & the customers are not at risk, they could be exempt from reporting the incident.

And it is not just Australian businesses that are compelled to report breaches. Even foreign companies operating on Australian soil will be coming under the law.